LastPass has revealed a little more about the vault breach that occurred during August last year. And there are big, big lessons to be learned for Dev(Sec)Ops.
The new revelation centers around a “senior DevOps engineer,” who accessed highly sensitive encryption keys from their home PC. This hapless individual was one of only four employees with access to these critical keys, which unlocked the users’ password vaults.
And waddya know? The PC was infected with a keylogger. In this week’s Secure Software Blogwatch, we facepalm, furiously.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Soyuz Globus mechanical computer.
Yearnings for learnings
What’s the craic? Lawrence Abrams reports — “LastPass: DevOps engineer hacked to steal password vault data in 2022 breach”:
“Wide and varied”
In December … LastPass disclosed a breach in [August 2022] where threat actors stole partially encrypted password vault data and customer information. The company has now disclosed how the threat actors performed this attack [via] a keylogger on a senior DevOps engineer's computer [dropped] by exploiting a remote code execution vulnerability in [Plex] media software.
LastPass ultimately detected the anomalous behavior through AWS GuardDuty Alerts when the threat actor attempted to use Cloud … IAM roles to perform unauthorized activity. … Customer information was stolen in the attack … is wide and varied, ranging from Multifactor Authentication (MFA) seeds, MFA API integration secrets, to Split knowledge component (“K2”) Key for Federated business customers.
Wait. Pause. They stole the K2? Chaim Sanders waxes apoplectic — “It’s All Bad News: An update on how the Lastpass breach affects Lastpass SSO”:
“Nothing to see here”
A little more than a month ago, LastPass support explicitly indicated (to multiple sources) that K2s were not impacted. … A few weeks ago I released a detailed analysis of how the Lastpass breach affected LastPass’s SSO implementation. Today, LastPass quietly sneaked an update [out] that completely eviscerates both the information Lastpass provided customers and the advice from my previous post.
LastPass vault passwords are generated [by] base64(SHA256(K1 XOR K2)). This equation defines K1 as the company wide secret and K2 as the user generated secret. … They subsequently try to walk back the impact … by saying: “Knowledge of [K2] would give away nothing of the resulting key.” … Don’t be fooled. … K1 [is] less of a ‘secret’ and more of a speed bump: … K1 doesn’t change, is the same for the whole organization, and is available to every employee. … Any user who looks at their web browser console or proxies their traffic can access the K1. [And] the breach divulged the company name of the vault in plaintext.
If the attacker cracks one K1 for an org, they get access to all the org’s vaults. … Yup, everything is fine, nothing to see here.
Sky falling. Film at 11. Wladimir Palant analyses a “few additional bits of information”:
“That’s pretty damning”
It took until December 2022 for LastPass to admit losing their users’ partially encrypted vault data. … The new master password policy introduced in 2018 is [still] not being enforced: … While new accounts need long master passwords, my old test account still goes with eight characters. The password iterations setting hasn’t been updated [either], leaving some accounts configured with 1 iteration despite the default being … 600,000 iterations. … As far as LastPass is concerned, everything seems to be just fine.
TL;DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer. Also, contrary to what LastPass claimed originally … Federated Login Services are very much affected by this breach, [which is] really bad news. … And to make matters worse, LastPass makes resetting K1 very complicated.
LastPass makes it sound like the employee’s fault. [But] what kind of security policies allowed an employee to access highly critical company assets from their home computer? … Allowing an employee to access company secrets from a computer where they also run an at least four years old Plex version that is directly accessible from the internet – that’s pretty damning.
Ouch. Publius Enigma is astonished:
Everything about the screams amateur hour. … For a company whose sole product is security this is terrifying.
It shouldn't be possible for a senior DevOps engineer to use her or his personal computer to access and store highly sensitive corporate data and infrastructure. It certainly shouldn't be possible to have Plex, of all things, installed alongside corporate data and systems access.
I work with some sensitive data. … I can only access anything work related from a company-issued device that is enrolled with an endpoint manager, encrypted and secured with about 4 different endpoint security solutions. All software must be installed through a company portal, and all data to and from device … is inspected for malicious exfiltration or infiltration — even in the office.
Accessing even my work email on a personal device, let alone one running a compromised version of Plex, just isn't going to happen. For LastPass to allow this to happen points to deeper issues.
Ouch again. MachineShedFred is even more blunt:
Why the **** does the IT department at a company that makes security software allow non-company owned systems to connect to anything at all, much less production code, databases, logging, etc.? … I mean, did they give the IT security job to some C-suite's nephew because he's good at computers and stuff?
Stick a fork in LastPass? IncRnd hopes it recovers:
LastPass is not deserving of any trust as a password product of any kind. That a password was captured by a keylogger on a DevOps home computer shows that they don't understand how to secure remote computers, the meaning of defense in depth, the importance of proper login authentication, or how to secure data at rest.
I don't wish them ill. I hope they recover from this, but they need to understand security to produce a security product.
He divides opinion, but Steve Gibson makes a great point about infrastructure entropy and technical debt:
Things tend to become more complicated over time. This is usually driven by inevitably changing requirements.
Then the requirements change again and some customizations are required and some custom glue code is created by someone who later quits and takes [their] notes and knowledge with [them]. Anyone who has been working within a complex environment with many players and constant time pressure, where needs are dynamically changing, will probably be able to relate to the sort of mess that winds up evolving from what was originally a simple solution.
This sort of creeping, evolving complexity makes both keeping things truly secure and recovering rapidly from a security incident much more difficult. There really needs to be someone assigned the task of stepping back from the day to day fray to take a holistic view of an enterprise’s systems and be constantly working to re-integrate the inherently disintegrating systems that naturally form. Keeping things as simple as possible has tremendous benefits for an organization, and in a sufficiently large organization, it really ought to be a job title.
Who in their right mind would store their passwords in the cloud? kurohouou argues it’s the best place for them:
Cloud based password storage can be safe and secure if done right. The problem is LastPass took shortcuts over the years, from lax updates to its security hashing policies (i.e., [not] mandatory increasing hash numbers from the hundreds to the hundreds of thousands), to not encrypting all data but only passwords.
And what of the hapless DevOps engineer? Here’s a puntastic nullcodes:
It turns out they didn't fire the employee whose PC was compromised. However, they did tell him sternly that it was his last pass.
Meanwhile, donutshop suggests a new job title:
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
- Join Webinar: Threat Modeling & Software Supply Chain Security
- Supply Chain Risk Report: Learn why you need to upgrade your app sec
- See special report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Special report: C-SCRM and federal supply chain security guidance